"To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery," Kaspersky Lab wrote in its analysis. "ExPetr (aka NotPetya) does not have that installation ID, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data."

According to Suiche, while older versions of Petya ransomware would read each sector of a disk and reversibly encode them, this Petya-like malware "does permanent and irreversible damages to the disk" by overwriting sector blocks.

Suiche said this means the attacks were ransomware scams and the malware should be considered a "wiper," because its intent was not to make money, but to "destroy and damage."

"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon," Suiche wrote in a blog post. "The fact of pretending to be a ransomware while being in fact a nation state attack -- especially since WannaCry proved that widely spread ransomware aren't financially profitable -- is in our opinion a very subtle way from the attacker to control the narrative of the attack."

Additionally, while the bitcoin address associated with the ransomware scam has received 45 payments worth approximately $10,000 at the time of this post, the email address connected to the attackers has been shut down.

Victims keep sending money to Petya, but will not get their files back: No way to contact the attackers, as their email address was killed. pic.twitter.com/68vxThNIPM

2 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy